The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.

The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.

Line 9:

Line 10:

ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

−

''' Want to help us make ZAP even better for you? '''

+

'''ZAP 2.3.1 is now available! Download it here:'''

−

''' Just fill in the ZAP User Questionnaire which is available in both [https://docs.google.com/forms/d/1lUPTYHe9CS5tropNStoRK9jVeZ7tWRywhBHDIZjE4cA/viewform English] and [https://docs.google.com/forms/d/1xAKE3TCOaBrmFnyAVUr6NdTd3mKvu7g_uGriOcS2Ka4/viewform Spanish]! '''

You can view the responses so far (which are separate for each languages) here: [https://docs.google.com/forms/d/1lUPTYHe9CS5tropNStoRK9jVeZ7tWRywhBHDIZjE4cA/viewanalytics English], [https://docs.google.com/forms/d/1xAKE3TCOaBrmFnyAVUr6NdTd3mKvu7g_uGriOcS2Ka4/viewanalytics Spanish]

+

ZAP is taking part in the '''Google Summer of Code 2014'''. See the [https://www.owasp.org/index.php/GSoC2014_Ideas#OWASP_ZAP_-_Advanced_access_control_testing OWASP wiki] for suggested projects. And if you have any questions about this please ask them on the [http://groups.google.com/group/zaproxy-develop ZAP dev group]

''' ZAP Is the [http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ Top Security Tool of 2013 as voted by ToolsWatch.org readers]! '''

−

'''ZAP 2.1.0 is available via the above link!'''

+

For a quick overview of ZAP and to see some of the latest ZAP features see these tutorial videos on YouTube:

−

'''For more details about 2.1.0 see the [http://code.google.com/p/zaproxy/wiki/HelpReleases2_1_0 release notes]'''

+

{|

−

+

|-

−

You can also get cross platform [http://code.google.com/p/zaproxy/wiki/WeeklyReleases weekly releases] which include all of the latest changes.

+

{{#ev:youtube|eH0RBI0nmww}}&nbsp;

−

+

{{#ev:youtube|pYFtLA2yTR8}}

−

For a quick overview of ZAP and an introduction to version 2.0.0 see these tutorial videos on YouTube:

+

|}

−

{{#ev:youtube|eH0RBI0nmww}} {{#ev:youtube|a-lJafBdAeM}}

For more videos see the links on the [https://code.google.com/p/zaproxy/wiki/Videos wiki videos page].

For more videos see the links on the [https://code.google.com/p/zaproxy/wiki/Videos wiki videos page].

+

+

Interested in a ZAP talk or training event? See the [https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project#tab=Talks talks] tab. Not one near you? Contact a [http://code.google.com/p/zaproxy/wiki/ZapEvangelists Zap Evangelist] to arrange one!

Want a very quick introduction? See the [https://www.owasp.org/index.php/File:owasp_zap_flyer_v2.pdf project pamphlet].

Want a very quick introduction? See the [https://www.owasp.org/index.php/File:owasp_zap_flyer_v2.pdf project pamphlet].

Line 34:

Line 36:

For more details about ZAP, including the full user guide, see the [https://code.google.com/p/zaproxy/wiki/Introduction wiki].

For more details about ZAP, including the full user guide, see the [https://code.google.com/p/zaproxy/wiki/Introduction wiki].

+

+

We recently asked our users for feedback about ZAP, you can see their responses (which are separate for each languages) here: [https://docs.google.com/forms/d/1lUPTYHe9CS5tropNStoRK9jVeZ7tWRywhBHDIZjE4cA/viewanalytics English], [https://docs.google.com/forms/d/1JhUdp4cxZ3qRayYWz3JHOLSP7DPdBI-zgnFzDWxbX5A/viewanalytics French], [https://docs.google.com/forms/d/1xAKE3TCOaBrmFnyAVUr6NdTd3mKvu7g_uGriOcS2Ka4/viewanalytics Spanish], [https://docs.google.com/forms/d/1qN3MlRcjQk9riIkdpfnJLkFd4cW5ALp136da08xvMaA/viewanalytics Arabic]

Every time an application faces the world wide web, it inherently becomes vulnerable to attacks. The attackers could be script kiddies, joyriders, turning from hobbyists to downright hostile. The earlier in the development cycle you find the vulnerabilities, the better they are to fix and test.

OWASP ZAP is a free and open source penetration testing tool for finding vulnerabilities in web applications; widely used by security professionals, it is also ideal for anyone new to web application security and includes features specifically aimed at developers.

This session shows/demonstrates some attacks against web applications and how OWASP ZAP could be used to find those vulnerabilities, both manually and by automated builds.

Release description:This release includes the following significant changes:

Fuzzing: Strings in a response can now be fuzzed to try to find vulnerabilities. Anti CRSF tokens can be detected and automatically regenerated when fuzzing. This functionality is based on code from the OWASP JBroFuzz project.

Dynamic SSL certificates: The support for SSL connections was improved and simplified. User's can now create their own root certificate and distribute this into their HTTP clients.

Daemon mode: Starting ZAP with the "-daemon" command line option will cause it to run in the background in 'headless' mode, meaning that no UI is displayed.

API: An initial API has been implemented in XML, JSON and HTML.

Beanshell integration: The BeanShell is an interactive Java shell that can be used to execute BeanShell scripts. BeanShell integration in OWASP ZAP enables you to write scripts using the ZAP functions and data set.

Full internationalisation: All displayed strings are now fully internationalised.

Localisation: Out of the box support for the following languages: English, Brazilian Portuguese, Chinese, French, German, Greek, Indonesian, Japanese, Polish, Spanish